Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Changing the password is a fair point that I hadn't considered



I think that most people on here haven't considered this. In fact, I arrived at your comment by searching the page for "reset". The majority of folks seem too focused on trying to outclass Justin and/or getting in the last word. They're not thinking. Just for fun, I went to see how many licks it actually does take to get to the center of a tootsie roll pop i.e., clicks to reveal a password using the passwords dialog box in Chrome? There are about 27 keyboard button presses for the URL, then a mouse click for the Show button. Fair enough. Too bad I can get to the password reset field in Facebook in 3 mouse clicks, using my bookmarks bar. I'm pretty sure that I won't need 25 more clicks for the verification email. So if we're all just gauging security by how difficult you can make getting at a password, then I beat Justin. And my "exploit" is platform independent.


I'm not trying to outclass anyone, I'm simply not sure that this is the right solution and so far I'm fully convinced by what he said. I'm sure he's way smarter than I and I'm probably missing something. Take everything I say as it is: a comment on the internet.

This being said, security through obscurity is never an optimal solution, but again going back to my "safe" analogy (not unbreakable, just hard to break). If a hacker wants to change the password, it takes a few clicks to locate a site where the user could be logged in. Then the clicks required to get a new password. Add the delay of email reception and so on... It takes more time and effort to do that than just click "show me all the passwords" and take a photo with a smartphone. Plus doing so will give you 1 password only.

About the keyboard presses count, let's say I use both mouse and keyboard.

ctrl+, (shortcut to settings) click to advanced click to manage click show

It's 4 operations. In my opinion, it's way shorter to do that and get ALL the passwords of a given user than try to change the Facebook password. Again, and I'm really stressing this out, it's not about making an unbreakable system. It's just making it a bit harder to break.


Don't most sites require that you enter your old password before you can change it?


Indeed, I guess this is a +1 against storing passwords plaintext (well, obtainable in any case) - as a person could change your password and take over the account completely


Not if you use the "reset" option. Which... you have their email account. So...


Heh. I wasn't even thinking about the "Forgot your password" feature. Better still.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: